How holding the door for someone can get you hacked

A SIMPLE act of kindness, such as holding a door open for someone, can compromise your business’s security, research has revealed.

Companies in Peterborough invest hundreds of thousands of pounds every year to protect confidential information from cyber-criminals who try to hack into their IT systems. Now a communications company has carried out an exercise in ‘social engineering’ to show just how vulnerable businesses are.

Social engineering tactics can give criminals unfettered access to sensitive data through a mixture of confidence tricks and basic employee deception. Techniques as simple as carrying two cups of coffee and waiting for people to hold office doors open can result in high level access to an organisation and its information.

The professional services arm of Siemens Enterprise Communications recently ran a ‘social engineering’ exercise at a FTSE-listed financial services firm. A Siemens security consultant targeted the client company for a week to see what level of access to information he could achieve using social engineering tactics. Without the aid of any special equipment, the Siemens consultant was able to:

  • Enter the company’s office without being challenged by security staff
  • Base himself in a meeting room, where he worked for several days
  • Freely access different floors, store rooms (containing large amounts of confidential information), filing cabinets and confidential data left on desks
  • Access the company’s data room, IT, and telecoms network
  • Use the internal telephone system to call employees, claiming to be from the IT dept (backed up by the caller ID), and request information. Of twenty users targeted, seventeen supplied their usernames and passwords giving him easy access to confidential electronic data
  • Establish that CCTV domes fitted on the ceilings were non operational.

“Social engineering is principally concerned with manipulating people into performing actions or divulging confidential information in order to access electronic or physical data,” says Colin Greenlees, a security and counter fraud consultant. “Hi-tech protection systems are completely ineffectual against such attacks, and most employees are utterly unaware that they are being manipulated. Worryingly many staff positively assisted with information being compromised.

“The scary thing is that it’s all simple stuff. It’s just confidence, looking the part and basic trickery such as ‘tailgating’ people through swipe card operated doors or, if you’re really going for it, carrying two cups of coffee and waiting for people to hold doors open for you.”

During the week of the FTSE exercise, the Siemens consultant befriended a number of employees at the target company and was even on first name terms with the foyer security guard. On two separate occasions, he was even able to escort a second Siemens consultant into the building who was able to perform further analysis of the company’s IT network.

“Most security experts agree that dishonest employees are the greatest risk to company data leaking outside an organisation, many of whom are working with a criminal gang before they even enter employment,” said Mr Greenlees. “However, social engineering that tricks genuine employees into providing access to confidential data is a fast growing issue. It’s important that senior executives understand how easy this is, but also how they can effectively counter the threat by actually practising what they preach.”